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Abstract 

It is widely believed that quantum key distribution (QKD) has been proved uncondi- 
tionally secure for realistic models applicable to various current experimental schemes. 
Here we summarize briefly why this is not the case, from both the viewpoints of fun- 
damental quantitative security and applicable models of security analysis, with some 
morals drawn. 

1 Introduction 

After the appearance of papers last year on fundamental QKD security [1] and the complete 
breach of concrete QKD systems [2-3] , claims have persistently been made [4] that QKD is 
already proved unconditionally secure in principle in various models. However, ref [2] and 
its extensions [3,5] highlight in a forceful manner the precarious situation of such widespread 
claims, especially on concrete experimental systems. Imagine the consequence if the Norway 
group kept their detector "blinding attacks" secret and makes them available to selected 
parties after a QKD systems has been deployed upon convincing the users its unconditional 
or whatever imposing security terminology that has been employed. The fact of the matter 
is that the security proofs of the models, assuming the deductions are totally valid (but 
they are actually not), contain general and specific assumptions that are simply not satisfied 
in practice. Moreover, the security criteria themselves used in the proofs do not guarantee 
proper security when satisfied. This paper tries to outline the underlying reasons, and 
indicates some ways to deal with the situation. 
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2 Security is not merely a matter of definition 

Thus far a single-number criterion on a single quantity has been used as the security criterion 
in QKD security proofs, from mutual information to trace distance. However, in accord with 
detection theory an attacker Eve would obtain from the measurement result on her probe 
a whole probability distribution {qj}, j £ 1, ... , M for the M = 2 m possible values of an 
m-bit data X from which an n-bit final key K is drawn after the use of an error correction 
code (ECC) and a privacy amplification code (PAC). Since PAC is a known hash function, 
this distribution {qj} X leads to the distribution {p^} on K, % e {1, . . . , N}. A bound on the 
mutual information or any single-number criterion on X or K merely expresses a constrain 
on { qj } or { Pj }. 

Since one is using K as if it is uniformly distributed to Eve, i.e., with probability for 
the N possible key values, one must bound the difference between the probability 2^1 of a 
uniformly distributed subset of size \K\ and Eve's optimum probability pf(K) of estimating 
K correctly in any attack to be below a prescribed security level, 

\pf(K) -2-1*1 1 < e(K) for each K C K (1) 

When e(K) can be made sufficiently small, condition (1) gives K the information- 
theoretic (IT) " security" required for meaningful "unconditional security". Thus, good 
security demands semantic security that may not be obtainable quantitatively from another 
criterion, especially a single-number criterion that is not bounded tightly enough. Security 
is a quantitative issue. It is also not a mere mathematical issue for which one can adopt 
whatever mathematical definition that seems intuitively suitable. In particular, it must be 
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expressed by Eve's success probabilities of correctly estimating various properties of K which 
can all be derived from (1). 

Eve can try to estimate K from just its generation process, the resulting security of K is 
called "raw security" to be distinguished from its "composition security" when K is actually 
used. General composition security is a complicated matter and we will just restrict our 
attention to the case when K is used for encryption, say in the one-time pad format often 
suggested. In such situation part of K may be revealed to Eve in a known-plaintext attack 
(KPA), which may help her find the rest of K and thus find the rest of the data unknown 
to Eve at the beginning, which is encrypted by K to yield the ciphertext. Security against 
such leakage of K will be called "KPA security" . 

It is important to note that proof of general KPA security is necessary for any claim of 
unconditional security on K to be used for encryption. This is because the use of conventional 
symmetric key ciphers for key expansion also gives raw IT security, and thus they, not 
RSA, are the appropriate conventional ciphers one should compare QKD to. This is a fair 
comparison because the use of a shared secret key for message authentication during key 
generation is necessary, though not included thus far in the security analysis of any QKD 
protocol. (KCQ protocols [6] use a shared secret key explicitly.) In addition, the raw security 
of such conventional ciphers is far better than that of concrete QKD systems that have been 
studied experimentally or theoretically. The superiority of concrete QKD must lie in its 
KPA security, which is the usual security concern because the shared secret key is typically 
totally hidden when the data X is uniform to Eve. 



4 



3 Problems of the mutual information criterion 

Eve's accessible information on K from her attack is the most commonly used security 
criterion, so far the only one used in all experimental schemes. It is Eve's mutual information 
Ie with respect to K under optimal measurement on her probe. Information or entropy 
expresses a constraint on Eve's estimate on the whole distribution {pj} she may get from 
the measurement result on her probe. It has been repeatedly pointed out [7,8,1] that there are 
distributions consistent with a given Ie such that her maximum probability p\ of estimating 
the whole key K correctly is given by 

Pi ~ — = 2"' (2) 
n 

Thus, unless / ~ n, the raw security of K so guaranteed may be quite inferior to a uniform 
key. The other subsets K of K suffer similarly. The practical values of I E obtained in 
experimental schemes indeed gives very large pi in this sense [1,8]. 

Under KPA, knowing some bits of K does not render the rest of K more insecure if E has 
no quantum memory [1]. If Eve does have quantum memory, possible locking information 
would render K insecure [9] or even very insecure [10]. In fact, the latter can be understood 
from (2) as follows. The bits on K gained in a KPA could reduce the exponent of pi in (2). 
Indeed, it only takes 

/' = / + logn (3) 

number of bits to change pi to the value 1 when Eve measures on her probe with this added 
information on K . 
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The variational distance 

5 E ^5(P,U)= 1 -J2\P l - U \ ( 4 ) 

i 

between Eve's probability distribution {p^ on K averaged over K and the uniform distri- 
bution U of n bits has quantitative behavior similar to I E . In particular, when pi is large 
compared to jj,5e could give a pi as big as the case of 5e = ^f-, i-e. the value of (2). 
Thus, the same problem occurs under KPA as in the case of an I E criterion above. When 
5e < £ = with I ~ n , good security close to U may be obtained. 



4 Problems of the trace distance criterion 

The trace distance quantum criterion 

1 „ 

2 II Pi ~P2 \\i< £ (5) 

between two density operators p\ and p 2 says that the variational distance between the 
two distributions P and Q obtained in a measurement as derived from pi and p 2 satisfies 
6(P,Q) < e. Let p k E be the state of Eve's probe when the actual K has value k. Then 
(5) says, with p 1 = p k E and p 2 = pu the uniform mixed state with rank N, that for any 
measurement Eve may make on her probe one has Se < 6. The problem of such a security 
criterion is indicated through Se above. 

With p E = Ek\p%], the following trace distance 

d= \\\ Pke - Pu® Pe ||i (6) 

for a joint state Pre, is used [11] with the interpretation that when d — e, it means K equals 
U with probability 1 — e to Eve and the value k also becomes independent of p k E . This implies 
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"universal composability" including security against KPA. In ref [14] it has been analyzed 
in detail why this interpretation cannot be true with any probability. We can describe the 
reason simply as follows. 

The main error arises from conclusion in ref [11] that 5(P,Q) = e implies P and Q are 
the same distribution with probability 1 — e. This conclusion was derived from the existence 
of a joint distribution D that gives P and Q as marginal and yields the above interpretation. 
Why would this D arise in the cryptosystem? In fact, even when a joint distribution different 
from the product form PQ is in force, why would it be this particular (which is actually 
the optimal) one for the interpretation to obtain. In reality, one is simply comparing two 
distributions and the joint distribution should be PQ. It is indeed clear directly from the 
definition of 8{P, Q) that P and Q must differ when 5(P, Q) = e > 0. 

Sometimes the term "failure probability" is used [12,13] without explicitly saying what 
that means. In [14] it is shown that e does not itself have a probability interpretation. Thus, 
it is not any "failure probability" . A related source of this error, which was not discussed in 
ref [1], is a misinterpretation of a notion of "e-indistinguishable" measure. It is concluded 
[12] from (5) that p 1 and p 2 is "e-indistinguishable" and thus the protocol has "failure 
probability" > 1 — e. The problem of "e-indistinguishable" for KPA security guarantee is a 
quantitative one similar to (2)-(3) above. A detailed explanation of the whole situation is 
given in [15]. 
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5 True key generation rate and limitation of privacy 
amplification 

It is important to observe that Eve's maximum probability q± on the data X is equal to 
her p 1 on K, and that p\ cannot be be improved by further PA. This is because a known 
transformation from ECC+PAC would just bring the most likely value of the data or key to 
a final value of K with the same probability. On the other hand, it is clear from (2) that the 
rate of secure key generation is limited to -. Thus, unconditionally secure key generation 
rate cannot be given by what has been asserted in the literature, but is determined via the 
Pi exponent. Moreover, this rate is determined by qi and we just saw it cannot be improved 
via PA. 

In finite protocols - no real protocol operates in the asymptotic limit n — > oo - it makes 
little sense to say a quantity grows exponential in n without some estimate of the actual 
convergence rate, because any value can be written as exponential in n. It is more accurate 
to just say that I secure bits are generated in the round. For concrete protocols / is very 
small thus far and may not even cover the message authentication bits used in any normal 
IT-secure authentication scheme. 

6 True security and asymptotic proof 

Note that even with PA to extract semantically secure bits from the p\ exponent, fundamental 
security has not been guaranteed. The use of Markov Inequality to convert an average 
guarantee to a probable individual guarantee would just reduce the quantitative value that 
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has been achieved. Much more significantly, Eve could launch an optimal quantum attack 
on specific subset K of K which, because of quantum mechanics, can be superior to what 
she may obtain by attacking the whole K and must be bounded in a security proof. 

In this connection, it is important to point out that the asymptotic limit that so many 
security proofs are based upon both overestimate what the users can achieve and what Eve 
can achieve in a finite situation. This is clear information theoretically, because all the 
"capacity" like statements involving mutual information are well known to be limiting capa- 
bilities. For example, the actual "random coding exponent" or channel reliability function 
[16] for finite n, similar to the pi, exponent, is what controls finite system performance, not 
the capacities. This applies to both the users and Eve, and is overlooked also in the classical 
literature on key generation. Basically, cryptographers should be working with detection 
theory, not information theory, for ascertaining performance by any party. Probability has 
operational interpretation and is what matters IT wise (but IT in the broad sense), not 
any other theoretical quantity like mutual information that needs to be translated back to 
probability as done in ref [1,7]. 

This last point is very important. It shows the possibility of secure key generation is not 
determined by any capacity statement. Indeed, in KCQ (keyed communication in quantum 
noise) [7] one does not allow coding or indefinitely large n for Eve other than her optimum 
decision on a finite-n system. Quantum information locking may help significantly for KCQ 
but it is not necessary. 

Some details and further elaboration on sections II- VI can be found in [14,15]. 
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Probabilistic 
pre-detection 




Input state in loss p. { 



Input state in less loss 



Figure 1: Schematic way to eliminate or reduce the effect of loss by user: loss is alleviated 
or eliminated with favorable pre-detection outcome. 

7 Grave effect of loss on security 

Real optical systems have significant loss. If the transmission loss is small one can treat 
deleted bits as random errors. Security claim was often made with loss taken into account 
just on the throughput via post-detection selection of the detected events. That this is clearly 
not a valid inference could be seen from the situation of B92, for which security is totally 
breached in an intercept-resend attack when the loss is above a certain threshold determined 
by the two signal states, or in any coherent-state BB84 protocol [17]. 

Generally, the users may try to reduce loss by pre-detection as indicated in Fig. 1, with 
success probability itself limited by the loss. Examples include QND measurement and "her- 
ald qubit amplifier". However, Eve also has a similar attack approach, the "probabilistic 
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Probabilistic 
re-send 




Input state in loss p f 



Faked input state p f 



Figure 2: Schematic way to take advantage of loss by attacker: a more favorable input state 
Pf from Eve's viewpoint is sought with possible quantum signal detection (PRS attack). 
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re-send (PRS) attack" indicated in Fig. 2. Sufficient loss would allow her to cover the deleted 
bits in principle and often in practice also. PRS attacks include probabilistic approximate 
cloning which is itself a generalization of the attack in ref [17] that is equivalent to proba- 
bilistic exact cloning. Note that the possibility of bit deletion from loss violates the usual 
information-disturbance tradeoff that underlines QKD security, in that information can be 
gained by Eve without causing any relevant disturbance. 

While PRS attacks can be covered in a sufficiently general formulation on Eve's probe, it 
is not automatically covered by merely bringing up the possible use of post-detection selection 
[18], QND measurement or squashing [19-20], or heralded qubit amplifier [21]. Indeed, it 
does not seem a security proof covering all possible PRS attacks in significant loss has ever 
appeared. The analysis of ref [22] includes detector inefficiency but not transmission loss. 
Absorbing transmission loss in the detector efficiency with replaced by a state without 
loss is just the same as post-detection selection, in addition to yielding a possibly very 
small detector efficiency. Note that there is no complete security proof in loss even just 
under individual attack. This grave consequence of loss on security has been pointed out 
previously in [8], and further elaborated in [23]. 

8 Problems of modeling versus side channel 

There are two kinds of mathematical modeling problems in QKD security analysis of concrete 
systems: 

(A) whether the model includes typical general features of a real cryptosystem; 

(B) whether the operative assumptions of the security analysis are satisfied in the real 
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system it is applied to. 

As an example of (A), the quantum signal state space in any QKD implementation is 
never a qubit but an infinite-dimensional boson mode. That a different dimension from two 
may breach security is clearly brought out in a specific example [24] . The situation of loss 
is discussed above. Thus, all qubit-based security proof is not directly applicable to a real 
system, but such security claim was often made on the basis of qubit proofs. 

There are many examples of (B), such as the use of threshold detector or Poisson source 
model for lasers without phase randomization. Much more significant are the time-shift 
attack [25] based on detector efficiency mismatch [26] and the blinding attacks [2-3,5]. De- 
tector efficiency mismatch has been dealt with in ref [18]. What is unsettling about the 
time-shift attack is that the detailed detection mechanism in the detector can be exploited 
to lead to a huge mismatch. The blinding attacks (based on detector controllability by Eve 
more essentially than "faked state" ) is even more unsettling, because it does not lead to any 
common detector imperfection representation and relies on the internal detector electronic 
behavior. While the particular possibility of detector blinding can be added in a security 
analysis [27], it is not clear how one would know all the relevant internal electronics behavior 
have been included in any particular model. Some discussion on similar but more general 
modeling question can be found in ref [28] . Note that Fig. 2 can be used to represent timing 
and blinding attacks, when the input state itself is already "faked" in a specific way by Eve 
and the detector electronic behavior and total system loss may together allow an attack to 
succeed. 
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In this connection, it may be pointed out that this is not a "side channel" issue as it 
is the case with the RSA timing attack. Side channels can be closed once and forever, but 
the detector in a QKD system is an integral part of the receiver one must have, part of 
the "main channel". For example, if a detector leaks radiation of different characteristics 
depending on the incoming state, it can be sealed and thus the leak is a side channel. But 
the detection mechanism is not a side channel. Another point is that a side channel would 
not affect the original cryptosystem representation, surely the case also for the RSA timing 
attack. However, the system model has to be extended to include the time-shift attack and 
blinding attack [27]. To what extent must one model the internal behavior of a detector, 
or any system component, so that the resulting security analysis captures all the relevant 
features of the cryptosystem, instead of getting new surprises from time to time? If this 
question is not settled there will be no security proof for any concrete QKD system even 
just in principle, whatever else one may have achieved. The detector representation problem 
goes beyond (B) and squarely to (A) above, an issue of completeness of the cryptosystem 
model. 

There are other systems that are not subject to such detector based attacks, including 
continuous variable QKD which is, however, not yet proved secure according to the standard 
view in the literature [13]. The KCQ approach [6] is also immune to such attacks, especially 
Y00 in any of the formats (PSK, ISK, QAM) that have been studied, because there is 
essentially no deleted bit. However, general IT security has not been established for any 
KCQ protocol. 
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9 Outlook 

Security is a serious matter and cannot be established experimentally. We see in the above 
that, just in principle, fundamental quantitative security has not been properly addressed 
in QKD security analysis and the effect of loss has not been properly accounted for. The 
widespread perception of proven QKD security is based on several omission or errors of 
reasoning: 

(i) No proven security against known-plaintext attack when the generated key K is used 
for encryption; 

(ii) Use of single-number constraint on the attacker's probability distribution on K when 
the number is not or cannot be bounded tightly enough; 

(iii) Not including all possible attacks in the presence of significant transmission loss; 

(iv) Not including relevant device characteristics. 

The situation is summarized in the following Table 1: 

There are two ways to deal with these problems. The first is to limit one's claim, for 
example to known-plaintext attacks with no quantum memory. One can, say, wait an hour 
before using the generated key. One can ignore joint attacks that require entanglement across 
modes either in the probe or in the measurement. The resulting KPA security appears prov- 
able for at least KCQ protocols and would still represents major progress beyond what can be 
obtained with standard ciphers. In any case it is better to avoid misleading terminology like 
"unconditional", "no signaling", and "device independent". Generally, a more careful and 
critical attitude in making security claim would be appropriate. The second way is to look 
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Perceived 


Real 


raw security of K during 
key generation 


criterion a < 2 implies K is per- 
fect with probability > 1 — e 


probability Eve gets a sub- 
set K C if can be as big as 
2"' 


composition security of K 
against known-plamtext at- 
tack when used in encryp- 
tion 


criterion d < 2 _/ implies K is per- 
feet witnprobability > 1 — e 


d is not the proper criterion 


privacy amplification 


given Eve s entropy can make d 
small and hence improve security 


cannot improve pi, Eve s 
maximum probability of 
getting the whole K 


key generation rate 


U( A 1 D\ TJ{ A 1 T7 t \ 

H{A\n) — H\A\ti) 


exponent r or pi ~ 2 


determination of security 


by analysis of entropy hierarchy 
with respect to criterion d 


by bounding Eve's success 
probabilities 


effect of transmission loss on 
security 


reduction of key rate but not se- 
curity 


many possible attacks by 
Eve not accounted for 


modeling of cryptosystem 
photon detector 


a side channel issue 


part of the completeness is- 
sue in original system repre- 
sentation 



Table 1: QKD Security Situation 

for new approaches or major modification of existing ones. In particular, we need a general 
proof that device internal electronics cannot lead to security loopholes in the protocol. 
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Note added for v.4: For new developments on the topics of sections II-IV, see [29]- [30]. 
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